> Just to be clear, this is signing for validation
Yup. I was just referencing wanting to obtain keys from the TPM to decrypt a partition. This is useful for me to have the following setup:
- Laptop turned on, no keys pressed, boots into super locked down guest OS.
- Laptop turned on, certain key pressed within 2 seconds, boot into 'hidden' OS.
- In both cases, HDD is encrypted, decrypted automatically via retrieving keys stored in the TPM. This means the harddrive cannot be read outside of that particular laptop, unless keys are extracted from the TPM.
- Bootloader signed with own key, any and all existing keys wiped, so laptop cannot be booted with any external OS.
I wrote a guide on this topic of ensure platform integrity of system level (See https://wmealing.github.io/tpm-pcr07.html ) its not too hard.